Strong Customer Authentication (SCA)

On 17 October 2019, the German Federal Financial Supervisory Authority (BaFin) set 31 December 2020 as the end of the grace period for the non-use of strong customer authentication for card payments carried out online. BaFin also announced that it will incorporate into its supervisory practices the milestones and data to be reported as determined by the European Banking Authority (EBA) for the purpose of supervising and monitoring progress.

Concardis intends to make use of the relief within the framework of the BaFin provisions. As a merchant, you will be informed separately on the basis of the Concardis migration schedule about any potential upcoming migration information and tasks.

Strong customer authentication The European Union is making online retail even more secure!

The objective is to create a trustworthy environment both for the merchant as well as for the customer. Additionally, this will reduce the risk of abuse, which in turn means cost savings for the merchant.

Previously optional guidelines became obligatory as of 14 September 2019. However, due to the determination of BaFin, implementation of this obligation is to be done by 31 December 2020 at the latest. The European Banking Authority (EBA) demands the clear authentication of the payer with at least two of the following elements.

KNOWLEDGE

KNOWLEDGE

PIN, password and other security questions

whose answers are only known to the customer.

POSSESSION

POSSESSION

Smartphone, token and other objects

which are only in the customer’s possession.

INHERENCE

INHERENCE

Fingerprints as well as all aspects and biometric characteristics

which identify the individual customer.

What dates are important?

The grace period ends on 31 December 2020. Payengine will make the corresponding required protocol versions available in due time.

The cruxes of PSD2

Two-factor authentication for online payments

Open banking account interfaces

Surcharge ban

Details

Confirmation with two factors from three different areas Knowledge | Possession | Inherence

Open interfaces for third-party providers

No extra fees, e.g. for credit card payments

Aim

Greater payment security

Greater competition

Greater protection for consumers

What happens in the worst-case scenario?

In the worst-case scenario, Concardis will refuse authorisations ...

If a transaction is sent as an exemption that has not been coordinated with Concardis.

If transactions subject to SCA are submitted without a corresponding SCA identification.

If the flagging of the transaction does not correspond to the rules

In the event of erroneous MIT identification.

And if the internal fraud prevention system is triggered, of course.

Concardis will process all transactions that fall within the regulations (SCA or exemptions). However, rejection by the card issuer cannot be excluded.